When merging Queries, Quotes appear in merged Query

Question

Ive been working on a Filter System for my searchfunction. There are a total of 4 Things to sort by (Group, First Name, Last Name, Company), so the amount of possible variantions make it impossible to just hardcode the query for each possible filter-version.

So I basically made a bunch of small queries which I fuze together at the end to give me the final query. But for some reason theres quotes in my query, which makes it fail.

So assuming I search for the term "vic" I get 2 results that are people called victor. One of them works at a Company the other doesnt. So I enter the other Victors company "LexCorp" (I use Batman Villains for dummy data) into the Company Filter. Now I should get the query:

SELECT Titel, Vorname, Nachname, Unternehmen, Gruppe, Geschlecht FROM mitglieder WHERE Unternehmen LIKE '%LexCorp%' AND Titel LIKE '%vic%' OR Unternehmen LIKE '%LexCorp%' AND Vorname LIKE '%vic%' OR Unternehmen LIKE '%LexCorp%' AND Nachname LIKE '%vic%'

But for whatever reason I get:

SELECT Titel, Vorname, Nachname, Unternehmen, Gruppe, Geschlecht FROM mitglieder WHERE'' Unternehmen LIKE '%LexCorp%'' AND Titel LIKE '%vic%''' OR ' Unternehmen LIKE '%LexCorp%'' AND Vorname LIKE '%vic%''' OR ' Unternehmen LIKE '%LexCorp%'' AND Nachname LIKE '%vic%''''

I am just totally unable to flag down whatever mistake I made in my code. Can anybody spot what I missed?

Heres my PHP:

    if(isset($_POST['search'])){                                                
    $searchq = $_POST['searchq'];                                                                                                               
    $gruppenfilter = $_POST['typfilter'];
    $vorname = $_POST['vorname'];
    $nachname = $_POST['nachname'];
    $unternehmen = $_POST['unternehmen'];
    $filcounter = 0;
    $TitelQuery = NULL;
    $VornameQuery = NULL;
    $NachnameQuery = NULL;
    $UnternehmenQuery = NULL;

    $searchquery = "SELECT Titel, Vorname, Nachname, Unternehmen, Gruppe, Geschlecht FROM mitglieder WHERE";


    $FilterArray = filterQuery($gruppenfilter, $vorname, $nachname, $unternehmen);
    $NoFilter = $FilterArray['NoFilter'];
    $FilterQuery = $FilterArray['FilterQuery'];
    $nachnameused = $FilterArray['nachnameused'];
    $vornameused = $FilterArray['vornameused'];
    $unternehmenused = $FilterArray['unternehmenused'];


    if($NoFilter == false){
        $TitelQuery = "'$FilterQuery' AND Titel LIKE '%$searchq%'";

        if($vornameused == false){
            $VornameQuery = " OR '$FilterQuery' AND Vorname LIKE '%$searchq%'";
        }
        if($nachnameused == false){
            $NachnameQuery = " OR '$FilterQuery' AND Nachname LIKE '%$searchq%'";
        }
        if($unternehmenused == false){
            $UnternehmenQuery = " OR '$FilterQuery' AND Unternehmen LIKE '%$searchq%'";
        }

        $searchquery .= "'$TitelQuery''$VornameQuery''$NachnameQuery''$UnternehmenQuery'";
    }
    else{
        $searchquery .= " Titel LIKE '%$searchq%' OR Vorname LIKE '%$searchq%' OR Nachname LIKE '%$searchq%' OR Unternehmen LIKE '%$searchq%'";    
    }



    echo $searchquery;

}
else{
    $searchquery = "SELECT Titel, Vorname, Nachname, Unternehmen, Gruppe, Geschlecht FROM mitglieder";
    $searchresult = filterTable($searchquery);
}

Heres the code of the function used in the code:

function filterQuery ($gruppenfilter, $vorname, $nachname, $unternehmen)
{
    $used = false;
    $vornameused = false;
    $nachnameused = false;
    $unternehmenused = false;

    $NoFilter = true;

    $FilterQuery = "";

    if(! empty($gruppenfilter)){
        $FilterQuery .= " Gruppe LIKE '%$gruppenfilter%'";
        $NoFilter = false;
        $used = true; 
    }
    if(! empty($vorname)){
        if ($used == true){
            $FilterQuery .= " AND Vorname LIKE '%$vorname%'";    
        }
        else{
            $FilterQuery .= " Vorname LIKE '%$vorname%'";
            $used = true;
            $NoFilter = false;
        }

        $vornameused = true;
    }
    if(! empty($nachname)){
        if ($used == true){
            $FilterQuery .= " AND Nachname LIKE '%$nachname%'";
        }
        else{
            $FilterQuery .= " Nachname LIKE '%$nachname%'";
            $used = true;
            $NoFilter = false;
        }

        $nachnameused = true;
    }
    if(! empty($unternehmen)){
        if ($used == true){
            $FilterQuery .= " AND Unternehmen LIKE '%$unternehmen%'";
        }
        else{
            $FilterQuery .= " Unternehmen LIKE '%$unternehmen%'";
            $NoFilter = false;
        }

        $unternehmenused = true;
    }

    $FilterArray['NoFilter'] = $NoFilter;
    $FilterArray['FilterQuery'] = $FilterQuery;
    $FilterArray['nachnameused'] = $nachnameused;
    $FilterArray['vornameused'] = $vornameused;
    $FilterArray['unternehmenused'] = $unternehmenused;

    return $FilterArray;
}

Answer 1

In your php query you doing something like this and that causes the issue.

$searchquery .= "'$TitelQuery''$VornameQuery''$NachnameQuery''$UnternehmenQuery'";

you can concatenate php string as follows.

$searchquery .= "$TitelQuery $VornameQuery $NachnameQuery $UnternehmenQuery";

that will remove all extra quotes.

Answer 2

I agree with the comments that say you should use prepared statements, but for the issue you're having, in this part:

if($NoFilter == false){
        $TitelQuery = "'$FilterQuery' AND Titel LIKE '%$searchq%'";

        if($vornameused == false){
            $VornameQuery = " OR '$FilterQuery' AND Vorname LIKE '%$searchq%'";
        }
        if($nachnameused == false){
            $NachnameQuery = " OR '$FilterQuery' AND Nachname LIKE '%$searchq%'";
        }
        if($unternehmenused == false){
            $UnternehmenQuery = " OR '$FilterQuery' AND Unternehmen LIKE '%$searchq%'";
        }

You want to remove the quotes around $FilterQuery

The reason you have single quotes around variables in other parts of your sql query is that for the SQL to work, you need the quotes because the variables represent strings. In the case of $FilterQuery it actually represents parts of an SQL query, not strings within it.

--edit--

The answer provided by Lahiru Madusanka is also right - a problem for the same reason - you're putting quotes around SQL query, not strings